A surveillance finding lands on a Friday. Always a Friday.
By 4 p.m. the CTO has the email. By 4:30 p.m. the engineering team is on a bridge call. By 5 p.m. someone has texted the CEO with the word "exposure." By 6 p.m. the weekend is over.
I have watched this happen at hospitals, payers, and Series B digital health startups. Different rooms, same pattern.
What no one tells you about regulator findings
The financial penalty is rarely the worst part. The fine, if there is one, is a line item your legal team is already modeling. The corrective action plan is a project your engineering team can scope.
The cost no one prices is what happens to the team.
Your CTO loses the weekend. Your engineering lead loses the sprint. Your audit committee loses confidence in the technical organization. Your CEO spends Monday calling the board instead of selling. Your Series B lead asks for the corrective action plan and the diligence timeline starts. Your best engineer, the one who already had a recruiter calling, decides this is the moment.
None of this shows up on a regulator's public list. It shows up in burnout, in attrition, in lost momentum, and in the cost of replacing the senior people who were supposed to be focused on the product roadmap.
Defect prevention is the only strategy that beats incident response. Every other approach is just expensive theater.
Why I started doing this
In 2007, my wife died seven days after our third daughter was born, due to mistakes made by hospital staff. I have three daughters.
Rather than walk away from healthcare, I went deeper into it. I spent the next sixteen years building the clinical safety systems that prevent the failure that killed my family. MEWS, Modified Early Warning Score. Real-time SEPSIS alerting at Providence Health System, validated in Epic, now standard of care. A Defect Prevention Governance framework that secured $13 million in annual risk avoidance with zero critical defects introduced into production over fifteen years.
That number is not a marketing flourish. It is what disciplined upstream engineering looks like when you build for the people downstream who cannot afford the Friday call.
What TAP is
TAP, our Technical Audit Protocol, is the engineering distillation of that work. It is the pen-test before the certification audit. We find what Drummond, ICSA Labs, and SLI Compliance will find, while there is still time to fix it. Citation-level findings against the regulator's own framework. A remediation backlog your engineering team can ship. A board-ready summary your CTO can hand to the audit committee.
We built it because the Friday call should not be how an organization learns where its FHIR endpoint fails.
Patient data ownership is a patient right, not a regulatory checkbox. The work is to make sure the system that touches that data does not break. Quietly, upstream, on a Tuesday.
Not on a Friday.